Analysis
-
max time kernel
119s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-12-2024 00:44
Static task
static1
Behavioral task
behavioral1
Sample
f973e531ec54b83c1cbe586358837e45_JaffaCakes118.html
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f973e531ec54b83c1cbe586358837e45_JaffaCakes118.html
Resource
win10v2004-20241007-en
General
-
Target
f973e531ec54b83c1cbe586358837e45_JaffaCakes118.html
-
Size
346KB
-
MD5
f973e531ec54b83c1cbe586358837e45
-
SHA1
66bd55f141bc15fc4969ea9eb5dcccb34f52f871
-
SHA256
7d490f25af1c8cbf0c930099e584237c1312a8b09cb5ea2eb9b7d119fa7d923d
-
SHA512
1d03509e015c867bb55304fbf940e84f210abf80e094195dbe44330690bed1d849885d867bca363a2af6ae117b5e4f486d64762dc432b640727014b566c44114
-
SSDEEP
6144:SRsMYod+X3oI+YNLnBFsMYod+X3oI+YNLnBS:+5d+X3/Lf5d+X3/LE
Malware Config
Signatures
-
Ramnit family
-
Executes dropped EXE 4 IoCs
pid Process 2200 svchost.exe 2624 svchost.exe 2788 svchost.exe 2596 DesktopLayer.exe -
Loads dropped DLL 4 IoCs
pid Process 2768 IEXPLORE.EXE 2708 IEXPLORE.EXE 2708 IEXPLORE.EXE 2788 svchost.exe -
resource yara_rule behavioral1/files/0x00080000000173e4-2.dat upx behavioral1/memory/2200-6-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2200-12-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2624-31-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2596-34-0x0000000000400000-0x0000000000436000-memory.dmp upx -
Drops file in Program Files directory 7 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\pxD6BF.tmp svchost.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\pxD97D.tmp svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\pxD98D.tmp svchost.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DesktopLayer.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{43359971-BCD9-11EF-841E-F2DF7204BD4F} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000531dc0924a2a3340bf4223215b927d73000000000200000000001066000000010000200000007cd3a5e9d091a6089dc33689dcda44777aea46c31482705db431564865299d04000000000e800000000200002000000017781add39262bc95f9f4e3ab6a41ef6b764a7ce93d4ad78fe2a17406398264420000000785aef0180b83740c4e9a1bd28d3421d4bbd80246a85ecbad706ff578156694540000000b6a1dffef1d23a060f2a2caccc5d572ad4de787848b9002229e37428659df5cb7cdbc2f0ce99df9e85378781b7c91623e9a6698088289cd1e5e709952d433b25 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000531dc0924a2a3340bf4223215b927d7300000000020000000000106600000001000020000000b869d783a08e826e7e2bd62161e0d925d7c4f39c1ae300e44e70d6bbd4241513000000000e800000000200002000000041d67836ac11aebda3a99922b8751eabd41cdb6a0c5010bc7bf297d804aba09490000000a21c583e2325eb93053edf05b78ab667487a3a8910eedbe4ca6c3e526a8f673edf12aa7c01598a68eb5004a1cc203ba4c5bfe0d57ec86f8e30d3d5881b228b49b2b76b863c943ddd292a0751811cf77a52fe57a0752828be71ec3b676e011372726581f7230699c495a215f2755067ff049702ca31e4662aadc61c4d2c7f603b01b3081aa709cdda2477cc30464f9cb9400000000a7cd1dd5b224fa338be2ad44ed88bd7468636c382cbc4086ab92c2dd634c4efebeb814d6ddf305cbd77dafe9107a8993a0669cc7df8aeb44ae7e1b83567c011 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440644547" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40cf7d18e650db01 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2200 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2596 DesktopLayer.exe 2596 DesktopLayer.exe -
Suspicious behavior: MapViewOfSection 53 IoCs
pid Process 2200 svchost.exe 2200 svchost.exe 2200 svchost.exe 2200 svchost.exe 2200 svchost.exe 2200 svchost.exe 2200 svchost.exe 2200 svchost.exe 2200 svchost.exe 2200 svchost.exe 2200 svchost.exe 2200 svchost.exe 2200 svchost.exe 2200 svchost.exe 2200 svchost.exe 2200 svchost.exe 2200 svchost.exe 2200 svchost.exe 2200 svchost.exe 2200 svchost.exe 2200 svchost.exe 2200 svchost.exe 2200 svchost.exe 2200 svchost.exe 2200 svchost.exe 2200 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe 2624 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2200 svchost.exe Token: SeDebugPrivilege 2624 svchost.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2328 iexplore.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 2328 iexplore.exe 2328 iexplore.exe 2768 IEXPLORE.EXE 2768 IEXPLORE.EXE 2708 IEXPLORE.EXE 2708 IEXPLORE.EXE 2708 IEXPLORE.EXE 2708 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2328 wrote to memory of 2768 2328 iexplore.exe 31 PID 2328 wrote to memory of 2768 2328 iexplore.exe 31 PID 2328 wrote to memory of 2768 2328 iexplore.exe 31 PID 2328 wrote to memory of 2768 2328 iexplore.exe 31 PID 2768 wrote to memory of 2200 2768 IEXPLORE.EXE 32 PID 2768 wrote to memory of 2200 2768 IEXPLORE.EXE 32 PID 2768 wrote to memory of 2200 2768 IEXPLORE.EXE 32 PID 2768 wrote to memory of 2200 2768 IEXPLORE.EXE 32 PID 2200 wrote to memory of 380 2200 svchost.exe 3 PID 2200 wrote to memory of 380 2200 svchost.exe 3 PID 2200 wrote to memory of 380 2200 svchost.exe 3 PID 2200 wrote to memory of 380 2200 svchost.exe 3 PID 2200 wrote to memory of 380 2200 svchost.exe 3 PID 2200 wrote to memory of 380 2200 svchost.exe 3 PID 2200 wrote to memory of 380 2200 svchost.exe 3 PID 2200 wrote to memory of 388 2200 svchost.exe 4 PID 2200 wrote to memory of 388 2200 svchost.exe 4 PID 2200 wrote to memory of 388 2200 svchost.exe 4 PID 2200 wrote to memory of 388 2200 svchost.exe 4 PID 2200 wrote to memory of 388 2200 svchost.exe 4 PID 2200 wrote to memory of 388 2200 svchost.exe 4 PID 2200 wrote to memory of 388 2200 svchost.exe 4 PID 2200 wrote to memory of 416 2200 svchost.exe 5 PID 2200 wrote to memory of 416 2200 svchost.exe 5 PID 2200 wrote to memory of 416 2200 svchost.exe 5 PID 2200 wrote to memory of 416 2200 svchost.exe 5 PID 2200 wrote to memory of 416 2200 svchost.exe 5 PID 2200 wrote to memory of 416 2200 svchost.exe 5 PID 2200 wrote to memory of 416 2200 svchost.exe 5 PID 2200 wrote to memory of 472 2200 svchost.exe 6 PID 2200 wrote to memory of 472 2200 svchost.exe 6 PID 2200 wrote to memory of 472 2200 svchost.exe 6 PID 2200 wrote to memory of 472 2200 svchost.exe 6 PID 2200 wrote to memory of 472 2200 svchost.exe 6 PID 2200 wrote to memory of 472 2200 svchost.exe 6 PID 2200 wrote to memory of 472 2200 svchost.exe 6 PID 2200 wrote to memory of 488 2200 svchost.exe 7 PID 2200 wrote to memory of 488 2200 svchost.exe 7 PID 2200 wrote to memory of 488 2200 svchost.exe 7 PID 2200 wrote to memory of 488 2200 svchost.exe 7 PID 2200 wrote to memory of 488 2200 svchost.exe 7 PID 2200 wrote to memory of 488 2200 svchost.exe 7 PID 2200 wrote to memory of 488 2200 svchost.exe 7 PID 2200 wrote to memory of 496 2200 svchost.exe 8 PID 2200 wrote to memory of 496 2200 svchost.exe 8 PID 2200 wrote to memory of 496 2200 svchost.exe 8 PID 2200 wrote to memory of 496 2200 svchost.exe 8 PID 2200 wrote to memory of 496 2200 svchost.exe 8 PID 2200 wrote to memory of 496 2200 svchost.exe 8 PID 2200 wrote to memory of 496 2200 svchost.exe 8 PID 2200 wrote to memory of 588 2200 svchost.exe 9 PID 2200 wrote to memory of 588 2200 svchost.exe 9 PID 2200 wrote to memory of 588 2200 svchost.exe 9 PID 2200 wrote to memory of 588 2200 svchost.exe 9 PID 2200 wrote to memory of 588 2200 svchost.exe 9 PID 2200 wrote to memory of 588 2200 svchost.exe 9 PID 2200 wrote to memory of 588 2200 svchost.exe 9 PID 2200 wrote to memory of 664 2200 svchost.exe 10 PID 2200 wrote to memory of 664 2200 svchost.exe 10 PID 2200 wrote to memory of 664 2200 svchost.exe 10 PID 2200 wrote to memory of 664 2200 svchost.exe 10 PID 2200 wrote to memory of 664 2200 svchost.exe 10 PID 2200 wrote to memory of 664 2200 svchost.exe 10 PID 2200 wrote to memory of 664 2200 svchost.exe 10
Processes
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:380
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:388
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:472
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:588
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe4⤵PID:1364
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:1496
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:664
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:748
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:812
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1172
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:848
-
\\?\C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R4⤵PID:840
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:964
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:280
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:1020
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:908
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1100
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"3⤵PID:832
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:3004
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:2276
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:488
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:496
-
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:416
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1248
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\f973e531ec54b83c1cbe586358837e45_JaffaCakes118.html2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2328 CREDAT:275457 /prefetch:23⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200
-
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2328 CREDAT:340994 /prefetch:23⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2708 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2624
-
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2788 -
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2596
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c758f1ea863b8d9e5e61ccb7c7c15737
SHA171ec5e84974b001e6ca1a491072a6ac67782b76a
SHA256d3d516e2ef05dddf0f27552e79db444f8535c605f8c0e11bacf60a956dfcadf2
SHA512dfbd35549bd98e6f3cde32b882b8b617cdeff923856afc4f04735fb27196acffcaaad6a16245035a3c8eec01bb94bf3d2aa7723bc4c60d85005921b528de8a49
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD548e381a8433c7c79db7657cc2dd4d5da
SHA1fd1ea979adb81f0cfe2b1572c234cb93ac6d89f5
SHA256f30dc2ecea28795ce7030a5cd1fda95ca174b382668eb91cea92e758e1f6c33b
SHA51283a1be5b76417da0edb8ba8d57a8369e9113442ed2dcbafda9632bce6c6a87ec7cf0bd1b3130f08815cab2f5d3e766fe064e68b2ba22b0455233bc8b16c71b28
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD522dea34dcd7dd42a13a66bf76819a861
SHA1d58b8d23fbb111f833743cb961b8b2f4f6d01009
SHA256d4928b67cfda9b3b4ac2a9e47019540f653a0a40a2c358c70aa46d7bed59c757
SHA5127e8c70ba2277bf8b3783495cb9bee2c5ab4d2c3913de39e45b583ecc52a611d06f1a804a3d1bc9d826c44b1e4f4eb8c627d6fdbfd8422756c67f974cf9f75369
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ad999ce6dbf3563234c448ffe2b0f18c
SHA1c56b4e36003a913318bc4f4e373fcd326525fc39
SHA256f85c8ee17a807c0af322c384adb7645577d29e49ffa6f5b56465e333fcbe83f5
SHA5127247f0b6fdf100dbed93dfaa8ffc2b033dd69ff695b80d3f4d70b64ad2ae55c9a85c10dc38cbb85f10b6cd75756f4b144140f11b631d0ccb93d25930e3f5d1f0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5330d8c28444de30deb57fe4d00fe8ac5
SHA193278ce9cf7cfc1948210b9991b031313adbd9d5
SHA2562a3afac81ffbf73512a8150fc443a8700fd2f401efb3e447a304a1116e4993db
SHA512365ca5327310f8383f9d563c6663a776dbe6fbf8438d18dcd63e73e5bb2a4119b169eff3561124e3a7b72e394b7619a8cef35682f3c86066787ebd38a2aec8fd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52c27fc45d5e59f76567cac9a8108c2e9
SHA15bc571fdbc14c164005f82ffef2cfce200ed7899
SHA2567cf1ceabbc2ed22cee8b64fec3ba96b487b5d377c81060720c331d3d466542fe
SHA5128addfe52812340849552bb152cc06ef33cbb6d6f72c809e7af9bd9b8ead8c2790c4bbc343b98d4af6d3260548ce2b49147caa156ff603d8b745fd88638df0a92
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55252af11b148539c4a1673928cdb6f23
SHA18625844a892927d01c1f0a094ab00454169fe902
SHA2566ab9c2350264cc49ae6c483a2fc0be962092ff1a16b4d2d46b1fd769e408b05f
SHA5120dc2f8ea687f92c715e7789735aceb64adeb0b373dd9618c089204881fc3d27b2e02b1520cf96297e03d5d5b897db4ebe6ad53da0c7b09206a593bf20b9877e9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f5156a3ca0094d95f15a8c3abe94c6de
SHA158c34fbe53f84c9aa1613de3fb54bc3fdc5228a1
SHA2562e688e48769ebd16901826b9d7dc3648c9733060271514a80a6ee694d9ee4ba0
SHA5125aa7d4c88b1489e670059b2eacf8222ddc7ac439063002fcbcf55386960b1b8e1e5f199c7cb829d685bdc722752d241d449a03f41f0030c8d70f59697e1865d7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ebe25824319b6d5223460930262e8e50
SHA117156f2e4fe104c0395155f58cd962e7380fdf54
SHA2569fcc76acf5790bf17c0a3a1091676d0168dae27ba4caf1259f8dcc74fdd86187
SHA51271668a7ec121eff25a7c25d92047971e9b87f23fb0b714ab0948fc89c9306ff9f9eec92c998e732dabdd769c0da92426d339967bc1c97777da258ff7b3bf2da4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5aeda92f5bd518883c233d0e900298264
SHA1bf9807d2a11f5731e02e4de4649dd68275bd215a
SHA25640a95271afcec9104daf39fb759f7a8bce4570991fe209d5910b8cfeac0f1547
SHA512fe810db273854b41b7d333c4853d85d41d2354eba95ea12e7fc911cbdc8f6e9e8ec7f0fa05171dd1ad9c42e721875bbdfb3b781500545bae5610daf972b12912
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56932b1efd733f763db19154ed51a3bb9
SHA1d433b1ea2b9401e7ce6afce2a3c2249fcd8a9e6c
SHA256a92358aec05c1a4ac4202c00b4c8cc4a5bb01384e7b91fd8c4c8c7de91b55a80
SHA512fc42c02c91d5ccf72895605c9eaf36b981c30f422c22a5c84a69acd3771c7a0d6c7f45abf32904774cd6d34680f15709486ac78ca645100ad3a7c2d45fdb43d6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c95ad636a0fe0ab2ae128f4a8a3c4ae5
SHA171eed2fdf691c0ae7447a9c931e9aeba11b0f78c
SHA256b9101b09636bb1b1f49b7dfb2dc78c7ff4cf028eedbfbf2a40b86a6371b9e453
SHA5127db1443dad0459b32eae6c2a6f91c7b134ef799ea1c1a54ea50ce30aff18bc8beef802bf5aaed80d504ecb6a2f21dba71c21b7410b68423317d080432af31e7e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e516813b200109862f10f70038d692b2
SHA120b5b77c430172f49f75dcb8512f745d401b7c4b
SHA2564dc2615b689734d7760f03c60ed730cfd1bc07ef8a91035f97b9e5c59ddfbdae
SHA5120dab6aaa901aeb314c66f4680194292356cdd1efaf1d69b1daffa10718e8495582929f5b48df35216bc62c3397236392065daf1e9677b4be8a7533eb30bbaa0a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59ccfb429561b4a8ec3e548f4aaed0de5
SHA18e4cea162377c042876307558a919c8cee320754
SHA2562491411944483b9d7c8f673aaf4da6f857125067225bdc2d7908307af61c5681
SHA5124aec6689092e2ddbdde280a7fe5dfe90f2c55f37ffa8991c4c6ab55a97b85eea329ec5330df92f1ed52c97f46f41a11fad83db20a44d83617968904cace87967
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5630b1d872cd24d5fbe22ada92ef5f2bc
SHA1cc3f9ad9504abefc50a8795d8105e3fa324041d5
SHA256c06c0e0929bcae22868f171cf500395583a0f4e457ae48c4cac789c27c5e5a2d
SHA5129504e8acfac321bb91c925f60206fd5b622e46ccfb34b8ace66ac7dedb0ad152066c521b2f2cca2c21cb2a1142facf3e2a4e949f1d80af7bab433ed5c5fb4f10
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5327c9a40c7d2d2f9902e0b1e4958992b
SHA12d3fd5f2793805e0d99702718a12c40b9954e6c1
SHA256775b0df63763b4e91291ec296d8f9c8471a4a661d72ae63f47ca54eb5e907034
SHA5127591a05b1a62c3f1ad5268cbf563ae7478a5e8d31ae2e981f3ff1935f908b836c93f8c93cacad07f73abd172535b5efc09d134d9f83990a3ccac72565fdb45ba
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e32022ec8bfe460e36196ce4406cb7cd
SHA1c8518fe8cf9c90a5ae837bc39a38eb06f73d2688
SHA2565c8c36c0154b5598b115294695fe4e5ddafb3d30dbddadc177eed53fb4a0bcbf
SHA512d9cdbe91377ddaf1c500be8d9ecb0339d99484581ae22b2528b4461b4633a232eba81b03e923b3d5cfeb1cfbfb6319edb05abddf62451114bd854a2eb6e21567
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD506a0bf5086b2dc8a98b8e2418c224fce
SHA1673ac432aa2cbe9a97b25a727a031e05dc7e96af
SHA256b48623281027239ed46bf599e599f242f7ea6ba7eabcb2db2959f7a25286b40e
SHA512c1be6a1454c47f82df5104765230f893af3b9925d8e03f2927f98c88fb0206016b7be4036a580c60e274d9a9942d88a57205e40e9fa7e78a0e85e6a01f0ddf00
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51ddb47b58274ed557a17708ab6471a00
SHA1a6bf1f5625c6d6f958e3bbd8c66457e38b915c39
SHA25617888785cc1a4657d4c5a8abb6e58205bb7b292f3d4e74a783930e7040fc37f2
SHA5120fe1e9a2a93f6de135105034ca3a3b1250a7385aa17ff7ca4efa6486fe6d6339d1515d8fd6e4cf928fe8c0751f373f8f4de6c990f3eef269c704348835306480
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
84KB
MD5ca479f31e00f7be4fb964bd0070a217d
SHA1ea21810d7a04d2c54fea0ab22b2aab63a6a388b4
SHA2560095247afcb7ad6d7c01dd86beffb8209e1dddc4fb8282755ea6db5acf69cc58
SHA51242a28c71fae414e87a0ec72d5c7cd5f47c816a90a5030715bf4920e643486d3af2648a9ca337d4760a25be880b942664a6ba9d6553759f209235cc266aff9e08